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Report of the Independent Accountant 


To the Management of Korea Electronic Certification Authority, Inc. (“CrossCert”): 

We have examined the assertions by the management of CrossCert, a subordinate Certification Authority 
of Symantec Corporation, that for its Certification Authority (CA) operations at Republic of Korea, 
throughout the period July 1, 2015 to June 30, 2016 for its CA services listed in Appendix A, CrossCert 
has: 

2 disclosed its business, key lifecycle management, certificate lifecycle management, and CA 
environmental control practices in its: 

o CrossCert Certificate Practice Statement Version 3.8.8 , 

2 maintained effective controls to provide reasonable assurance that: 

o CrossCert provides its services in accordance with its Certification Practice Statement 

2 maintained effective controls to provide reasonable assurance that: 

o the integrity of keys and certificates it manages is established and protected throughout 
their lifecycles; 

o the integrity of subscriber keys and certificates it manages is established and protected 
throughout their lifecycles 

o subscriber information is properly authenticated (for the registration activities performed 
by CrossCert); and 

o subordinate CA certificate requests are accurate, authenticated, and approved 

2 maintained effective controls to provide reasonable assurance that: 

o logical and physical access to CA systems and data is restricted to authorized individuals; 
o the continuity of key and certificate management operations is maintained; and 
o CA systems development, maintenance, and operations are properly authorized and 
performed to maintain CA systems integrity 

based on the WebTrust Principles and Criteria for Certification Authorities, Version 2.0. 

CrossCert’s management is responsible for its assertion. Our responsibility is to express an opinion on 
management’s assertion based on our examination. 

We conducted our examination in accordance with standards for attestation engagements established by 
the American Institute of Certified Public Accountants and, accordingly, included: 

(1) obtaining an understanding of CrossCert’s key and certificate lifecycle management business 
practices and its controls over key and certificate integrity, over the authenticity and 
confidentiality of subscriber and relying party information, over the continuity of key and 
certificate lifecycle management operations and over the development, maintenance and 
operation of systems integrity; 

(2) selectively testing transactions executed in accordance with disclosed key and certificate 
lifecycle management business practices; 
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(3) testing and evaluating the operating effectiveness of the controls; and 

(4) performing such other procedures as we considered necessary in the circumstances. 

We believe that our examination provides a reasonable basis for our opinion. 

The relative effectiveness and significance of specific controls at CrossCert and their effect on 
assessments of control risk for subscribers and relying parties are dependent on their interaction with the 
controls and other factors present at individual subscriber and relying party locations. We have performed 
no procedures to evaluate the effectiveness of controls at individual subscriber and relying party locations. 

Because of the nature and inherent limitations of controls, CrossCert’s ability to meet the aforementioned 
criteria may be affected. For example, controls may not prevent, or detect and correct, error, fraud, 
unauthorized access to systems and information, or failure to comply with internal and external policies 
or requirements. Also, the projection of any conclusions based on our findings to future periods is subject 
to the risk that changes may alter the validity of such conclusions. 

In our opinion, throughout the period July 1, 2015 to June 30, 2016, CrossCert management’s assertion, 
as referred above, is fairly stated, in all material respects, based on the WebTrust Principles and Criteria 
for Certification Authorities, Version 2.0. 

This report does not include any representation as to the quality of CrossCert's services beyond those 
covered by the WebTrust Principles and Criteria for Certification Authorities. Version 2.0. , nor the 
suitability of any of CrossCert's services for any customer's intended purpose. 

Crosscert’s use of the WebTrust for Certification Authorities Seal constitutes a symbolic representation 
of the contents of this report and it is not intended, nor should it be construed, to update this report or 
provide any additional assurance. 



Seoul, Republic of Korea 
November 21, 2016 
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Appendix A - Root and Issuing CAs that account for CrossCert CA Services 


Symantec Root CAs: 

• VeriSign Class 1 Public Primary Certification 
Authority - G3 

• VeriSign Class 2 Public Primary Certification 
Authority - G3 

1 VeriSign Class 3 Public Primary Certification 
Authority 

• VeriSign Class 3 Public Primary Certification 
Authority - G5 

• Symantec Class 3 Internal Root CA 

CrossCert Root CAs 

1 CrossCert Class 2 CA - G2 
1 CrossCert Class 2 CA - G3 


Symantec SSL Issuing CAs: 

1 VeriSign Class 3 Secure Server CA - G3 

• VeriSign Class 3 International Server CA - 
G3 

1 Symantec Class 3 Secure Server CA - G4 

Symantec Other Issuing CAs 

• CrossCert Class 1 Consumer Individual 
Subscriber CA - G2 

• CrossCert Class 1 Consumer Individual 
Subscriber CA - G3 

• CrossCert Class 2 Managed MPKI Individual 
Subscriber CA - G2 

• CrossCert Class 2 Managed MPKI Individual 
Subscriber CA - G3 

• CrossCert Class 3 Private MPKI Enterprise 
Administrator CA 

• CrossCert Class 3 Private MPKI Operational 
Administrator CA 

• CrossCert Automated Administration 

CrossCert Issuing CAs 

• POSCO Online CA-G2 

• POSCO Online CA-G3 

• POSCOPNS Online CA 

■ POSCOPNS Online CA-G2 
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Assertion of Management as to 
its Disclosure of its Business Practices and its Controls Over 
its Certification Authority Operations 
throughout the period July 1 , 201 5 to June 30, 201 6 


November 21 , 2016 

Korea Electronic Certification Authority, Inc. (“CrossCert”) operates the Certification Authority (CA) 
services as a subordinate CA of Symantec Corporation (“Symantec”). The Symantec and CrossCert Root 
and Issuing CAs are listed in Appendix A and provide the following CA services: 

2 Subscriber registration 
X Certificate rekey 
I Certificate issuance 
I Certificate distribution 
X Certificate revocation 
X Certificate validation 
I Subscriber key management 

1 Subordinate CA certification 

The management of CrossCert is responsible for establishing and maintaining effective controls over its 
CA operations, including CA business practices disclosure on its website, CA business practices 
management, CA environmental controls, CA key lifecycle management controls, subscriber key lifecycle 
management controls, certificate lifecycle management controls., and subordinate CA certificate lifecycle 
management controls. These controls contain monitoring mechanisms, and actions are taken to correct 
deficiencies identified. 

There are inherent limitations in any controls, including the possibility of human error and the 
circumvention or overriding of controls. Accordingly, even effective controls can only provide reasonable 
assurance with respect to CrossCert’s Certification Authority operations. Furthermore, because of 
changes in conditions, the effectiveness of controls may vary over time. 

CrossCert management has assessed its disclosures of its certificate practices and controls over its CA 
services. Based on that assessment, in CrossCert management’s opinion, in providing its Certification 
Authority (CA) services at Republic of Korea, CrossCert-CA, throughout the period July 1, 2015 to June 
30, 2016, CrossCert has: 

2 disclosed its Business, key lifecycle management, certificate lifecycle management, and CA 
environmental control practices in its: 

o CrossCert Certificate Practice Statement Version 3.8.8 , 

2 maintained effective controls to provide reasonable assurance that: 

o CrossCert provides its services in accordance with its Certification Practice Statement 
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2 maintained effective controls to provide reasonable assurance that: 

o the integrity of keys and certificates it manages is established and protected throughout 
their lifecycles; 

o the integrity of subscriber keys and certificates it manages is established and protected 
throughout their lifecycles 

o subscriber information is properly authenticated (for the registration activities performed 
by CrossCert); and 

o subordinate CA certificate requests are accurate, authenticated, and approved 

2 maintained effective controls to provide reasonable assurance that: 

o logical and physical access to CA systems and data is restricted to authorized individuals; 
o the continuity of key and certificate management operations is maintained; and 
o CA systems development, maintenance, and operations are properly authorized and 
performed to maintain CA systems integrity 

based on the WebTrust Principles and Criteria for Certification Authorities, Version 2 . 0 . , including the 
following: 

CA Business Practices Disclosure 

• Certification Practice Statement (CPS) 

CA Business Practices Management 

• Certification Practice Statement Management 

• CP and CPS Consistency 

CA Environmental Controls 

• Security Management 

• Asset Classification and Management 

• Personnel Security 

• Physical & Environmental Security 

1 Operations Management 

• System Access Management 

• System Development and Maintenance 

• Business Continuity Management 

• Monitoring and Compliance 

• Audit Logging 

CA Key Lifecycle Management Controls 

• CA Key Generation 

• CA Key Storage, Backup, and Recovery 

• CA Public Key Distribution 

• CA Key Usage 

• CA Key Archival and Destruction 

• CA Key Compromise 

• CA Cryptographic Hardware Lifecycle Management 
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Subscriber Key Lifecycle Management Controls 

• CA-Provided Subscriber Key Generation Services 

• CA-Provided Subscriber Key Storage and Recovery Services 

• Requirements for Subscriber Key Management 

Certificate Lifecycle Management Controls 

• Subscriber Registration 

• Certificate Rekey 

• Certificate Issuance 

1 Certificate Distribution 

• Certificate Revocation 

• Certificate Validation 

Subordinate CA Certificate Lifecycle Management Controls 

• Subordinate CA Certificate Lifecycle Management 



Richard H. Shinn 
CEO 
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Appendix A - Root and Issuing CAs that account for CrossCert CA Services 


Symantec Root CAs: 

1 VeriSign Class 1 Public Primary Certification 
Authority - G3 

• VeriSign Class 2 Public Primary Certification 
Authority - G3 

1 VeriSign Class 3 Public Primary Certification 
Authority 

1 VeriSign Class 3 Public Primary Certification 
Authority - G5 

1 Symantec Class 3 Internal Root CA 

CrossCert Root CAs 

1 CrossCert Class 2 CA - G2 

• CrossCert Class 2 CA - G3 


Symantec SSL Issuing CAs: 

• VeriSign Class 3 Secure Server CA - G3 

• VeriSign Class 3 International Server CA - 
G3 

• Symantec Class 3 Secure Server CA - G4 

Symantec Other Issuing CAs 

• CrossCert Class 1 Consumer Individual 
Subscriber CA - G2 

• CrossCert Class 1 Consumer Individual 
Subscriber CA - G3 

• CrossCert Class 2 Managed MPKI Individual 
Subscriber CA - G2 

• CrossCert Class 2 Managed MPKI Individual 
Subscriber CA - G3 

1 CrossCert Class 3 Private MPKI Enterprise 
Administrator CA 

• CrossCert Class 3 Private MPKI Operational 
Administrator CA 

• CrossCert Automated Administration 

CrossCert Issuing CAs 

• POSCO Online CA-G2 

• POSCO Online CA -G3 

• POSCOPNS Online CA 

■ POSCOPNS Online CA-G2 
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